Malware comes in many varieties, and theoretically your antivirus should handle them all. Still, it's smart to add an extra layer of ransomware protection. If your antivirus misses a brand-new Trojan or virus, well, it will probably catch it with the next update. But removing ransomware doesn't undo the damage. You still don't have your encrypted files back. That's why adding something like the free Acronis Ransomware Protection is a smart move.

Acronis introduced its Active Protection technology as part of its Acronis True Image backup utility. Acronis Ransomware Protection offers precisely the same technology for free and throws in 5GB of hosted online backup as a second line of defense. Naturally, the company hopes you'll like it so much that you spring for the paid backup product.

Getting Started With Acronis Ransomware Protection

Downloading the utility, signing up for an account, and running the installer takes just a few minutes. After a short tutorial, the product goes into action immediately, rating all active processes as safe or suspicious. Unlike the simple, static displays of RansomFree and Malwarebytes Anti-Ransomware Beta, Acronis shows a colorful moving graph of active processes over the last few minutes. Green represents safe processes, while suspicious ones show up as blue. A red line on the graph indicates detection of behavior suggesting ransomware.

Your setup isn't complete until you identify important files for online backup. Doing so is as simple as dropping files or directories on the program's main window. You can add more files for protection at any time, up to the 5GB limit.

Ransomware Blocking

When Acronis detects suspicious activity, it pops up a warning window and asks you whether to trust or block the process. If you're busy using an archiving program to compress and encrypt files, just click Trust. If the message is unexpected, click Block.

After you click Block, another popup offers to recover any affected files. Note that this doesn't mean restoring from a backup. Acronis can recover any such files from its local cache. The backup is an additional line of defense. On the chance that recovery wasn't effective, Acronis retains the encrypted files in a dedicated folder.

This second popup also states, "You can blacklist this process to block it permanently," which confused me just a bit. There was no link to blacklist the program, and of course it didn't appear on the Manage Processes view because Acronis already terminated it.

I found that running the same sample twice and blocking it a second time got a slightly different result. The warning popup added a checkbox titled "Remember my choice for this process," checked by default. This time clicking Block actively blacklisted the process and offered a link to the Manage Processes page.

My contact at Acronis confirmed this is working as designed, and indeed it is effective. However, I think the messaging could be clearer.

Acronis in Action

The only way to really be sure a ransomware protection product works is to expose it to real-world ransomware. I have a half-dozen samples that I use for this kind of testing. Acronis blocked all but one of them, which is better than many. RansomFree also missed one. CryptoPrevent Premium missed half the samples, and some of those that it caught managed to encrypt numerous files before detection.

Bitdefender Anti-Ransomware also missed half of the samples, but I should point out that Bitdefender doesn't attempt to detect ransomware behavior. Rather, it vaccinates the system against known ransomware by planting flags that make the system look like it's already infected.

On the flip side, Malwarebytes and Check Point ZoneAlarm Anti-Ransomware caught all my samples, though one sample managed to encrypt a handful of files before Malwarebytes zapped it. ZoneAlarm's only error was reporting that it failed to restore all files in one instance, when in fact it succeeded.

Before I had actual ransomware samples, I wrote a very simple ransomware simulator that I called FakeCryptor. It launches at startup, seeks text files in the Documents folder, and encrypts them using a simple, reversible algorithm. Behavior-based detection systems often don't detect this simple-minded tool, because it's not using the serious encryption algorithms found in real ransomware. Acronis didn't mark it as suspicious, though RansomStopper and Trend Micro RansomBuster did. That's not a black mark for Acronis, as this program is not actually ransomware.

In testing, I found that CyberSight RansomStopper caught my FakeCryptor program when I launched it manually, but not when it ran at startup. That suggested a new test. I took a ransomware sample that Acronis definitely foiled, dropped it in the Startup folder, and rebooted the system. Like RansomFree, Acronis successfully blocked the ransomware attack at system startup.

I recently obtained a sample of the dreaded Petya ransomware. This one's different. Rather than encrypting specific files, it performs whole-disk encryption, meaning that you can't use your computer at all. I've only tested a few products with Petya, and results are mixed. Like RansomStopper, Acronis caught the attack before it could do any harm. But Cybereason RansomFree and Malwarebytes focus strictly on file-encryption ransomware, so they missed it.

Simulated Ransomware

Security intelligence company KnowBe4 offers a free ransomware simulator called RanSim. This tool runs 10 helper programs that simulate 10 different types of ransomware behavior, as well as two processes that perform legitimate encryption tasks and thus shouldn't be blocked. I celebrate high scores in this test, but don't penalize for low scores. After all, these are just simulations, not actual ransomware. RansomFree, for example, ignored them completely, as did RansomStopper.

Like RansomBuster, Acronis detected and blocked all 10 of the simulated ransomware attacks and incorrectly blocked one of the innocent processes. ZoneAlarm eliminated all the helper processes before they could launch, leaving RanSim unable to offer a score.

Other Approaches

Like most ransomware protection tools, Acronis relies on behavior-based detection. It also includes two levels of file recovery, the local cache and the online backup. But these aren't the only approaches to foiling ransomware attacks.

As noted, Bitdefender's free anti-ransomware tool fools certain known ransomware types into thinking they've alrady infected the system. Bitdefender Antivirus Plus does quite a bit more. In addition to behavior-based detection of ransomware and other malware, it blocks unauthorized modification to any files in folders you designate for protection. If it pops up when you use a new image editor for the first time, just whitelist the program. If it pops up when you haven't done anything, block the attacker.

Webroot SecureAnywhere AntiVirus takes an unusual approach to malware detection in general. When it encounters an unknown process, it starts journaling all activity and sending behavioral data to its cloud-based analysis system. It also prevents any non-reversible actions such as transmitting your private data out of the computer. If the cloud system decides the process is malicious, Webroot terminates it and reverses all of its activity. This process can reverse a ransomware attack, though Webroot warns that there's a limit on how much activity data it can cache.

A Fine Choice

Acronis Ransomware Protection is a fine addition to your security arsenal. It works alongside your antivirus as a second layer of defense against ransomware attack. For yet another layer of protection, it offers cloud backup for 5GB of your most important files. Given that they're both free, you may also want to try Cybereason RansomFree and Malwarebytes Anti-Ransomware before making a final decision.

Our Editors' Choice in the realm of ransomware protection isn't free, though it's not expensive. Check Point ZoneAlarm Anti-Ransomware costs $2.99 per month for three licenses. It turned in excellent performance in our hands-on testing, detecting all the ransomware samples and correctly recovering all files. Its only mistake was incorrectly reporting that it hadn't successfully recovered files.

More Inside PCMag.com

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips and solutions on using DOS and Windows, his technical columns clarified fine points in programming and operating systems, and his utility articles (over forty of ... See Full Bio